[24256] in bugtraq
NetWin CWMail.exe Buffer Overflow
daemon@ATHENA.MIT.EDU (NGSSoftware Insight Security Resea)
Wed Feb 13 15:17:17 2002
Message-ID: <006b01c1b490$6739b510$4201010a@kodiak>
From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
To: <bugtraq@securityfocus.com>
Date: Wed, 13 Feb 2002 13:14:02 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
NGSSoftware Insight Security Research Advisory
Name: NetWin CWMail.exe Buffer Overflow
Systems Affected: IIS4 & IIS5
Severity: High
Vendor URL: http://www.netwinsite.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 13th February 2002
Advisory number: #NISR12022002
Description
***********
CWMail is a fully featured Corporate Web Mail System for institutions or
ISP's using the web as their primary means of access to email. CWMail is
available for a wide variety of platforms and allows all email processing to
be handled via a client web browser rather than from an email client
package.
Details
*******
CWMail.exe is the main executable that provides the program's functionality
on the Windows platforms. This would typically be located in either the
'cgi-bin' or 'scripts' directory of an IIS server. After a successful
logon, by selecting the forward (mail) option, and filling the parameter
'item=' with a large string of characters, an access violation occurs,
overwriting the saved return address and allowing the remote execution of
arbitrary code.
Fix Information
***************
NGSSoftware alerted NetWin to these problems on the 10th of February; NetWin
responded extremely quickly with a patch. This patch has been available from
the 12th of February, and can be downloaded from
http://netwinsite.com/dmailweb/download2.htm
We would like to point out that the fix turnaround time of 36 hours is the
fastest that the members of the NISR team have encountered; we would
like to commend NetWin for the speed of their response and
their commitment to the security of their customers.
A check for these issues has been added to Typhon II, of which more
information is available from the NGSSoftware website,
http://www.ngssoftware.com.
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
